SSL BEST PRACTICES OVERVIEW

Size: px
Start display at page:

Download "SSL BEST PRACTICES OVERVIEW"

Transcription

1 SSL BEST PRACTICES OVERVIEW

2 THESE PROBLEMS ARE PERVASIVE 77.9% 5.2% 19.2% 42.3% 77.9% of sites are HTTP 5.2% have an incomplete chain 19.2% support weak/insecure cipher suites 42.3% support SSL % 5.5% 36.7% https://www.trustworthyinternet.org/ssl-pulse/ 83.1% vulnerable to BEAST attack 5.5% vulnerable to CRIME attack 36.7% do not support Forward Secrecy 2015 Entrust Datacard Corporation. All rights reserved.

3 YOU ARE RESPONSIBLE! SSL/TLS Protocol Protocol Implementation CA Implementation Defense Evolving Standards Defense Bug free deployment Defense Evolving CA Rqmts Ex. POODLE Ex. Heartbleed Ex. DigiNotar Responsibility IETF Responsibility Server Browser vendors Responsibility CA Browser Forum, Browsers and CA s SERVER IMPLEMENTATION Responsibility=YOU 2015 Entrust Datacard Corporation. All rights reserved.

4 2015 Entrust Datacard Corporation. All rights reserved.

5 2015 Entrust Datacard Corporation. All rights reserved. Private Key Protection Key Size Signing Algorithm Self-signed Certificates

6 Private Keys Private Key Public Key Used to compute secure session If compromised, session could be compromised or identity can be forged Best Practice: Keysize 2048 bit RSA Keys Elliptic Curve P-256 or P-384 > 2048 bit keys are not necessary Best Practice: Private Key Protection Password protect private keys Restrict access to private keys Mark keys as non exportable Create new keys when renewing/replacing certificates Revoke compromised keys Consider storing high value keys on hardware 1 Key per device, avoid private key duplication Entrust, Inc. All rights reserved.

7 Certificate Signing Algorithms Best Practice: Signing Algorithms Use SHA-2 for all new certificates Replace SHA-1 certificates with SHA-2 SHA-1 is a secure hashing algorithm that puts a unique identity in the signature for a certificate that cannot be duplicated for another certificate SHA-1 is showing weakness and is being replaced with SHA-2 Chrome V41 will deprecate usage of SHA-1 on certs expiring 2016 and beyond SHA-1 will be fully deprecated in 2017 Entrust, Inc. All rights reserved.

8 2015 Entrust Datacard Corporation. All rights reserved. Secure Protocols Secure Cipher Suites Valid Certificate Chains Renegotiation TLS Compression Session Resumption

9 Root Issuing CA End Entity Certificate Chains All Public Certificate Authorities are required to issue certificates from a subordinate CA, leaving the root offline The chain certificate is not embedded in client devices The server must present the certificate chain to the client Certificate Chains are commonly misconfigured, resulting in a certificate not trusted dialogue for end users Best Practices: Certificate Chains Follow your vendors device specific chain installation instructions Use SSL Checkers to verify that the complete chain is presented by your server do not rely on browser testing! Entrust, Inc. All rights reserved.

10 Protocols Protocol for secure session is negotiated between what the server and client support Accepted protocols can be controlled at the server level SSL/TLS Protocol List: SSL v2 - Insecure SSL v3 - Insecure when used with HTTP, should be avoided TLS 1.0 Largely insecure, should be avoided TLS Secure TLS Secure Best Practices: Protocols TLS 1.2 should be the main protocol used Enable TLS 1.0 and 1.1 for maximum client support, using other configuration to mitigate potential vulnerabilities Entrust, Inc. All rights reserved.

11 Cipher Suites In SSL/TLS, Ciphers Suites are used to define how secure communication and encryption takes places Collection of encryption algorithms if one is found to be weak, switch to another Ciphers configured at the server level client must support ciphers enabled by server Best Practices: Cipher Suites Caesar Cipher One of the oldest ciphers ever used Only use suites that support authentication, encryption of 128 bits or higher Avoid suites with weak ciphers (40 & 56 bits) Avoid CBC encryption mode RC4 is considered weak and it should be disabled consider interoperability impact first as this is widely used by clients Use Validation Tools such as SSL Labs to check to see if your server is accepting insecure ciphers. Entrust, Inc. All rights reserved.

12 2015 Entrust Datacard Corporation. All rights reserved. Mixed Content Third party Trust Secure Cookies Cross-site Scripting (XSS) Malware

13 2015 Entrust Datacard Corporation. All rights reserved. Perfect Forward Secrecy OCSP Stapling HTTP Strict Transport Security (HSTS)

14 HTTP Strict Transport Security (HSTS) Best Practices: HSTS Enable HSTS for all secure web pages, as an extension of SSL Always-ON According to Ivan Ristic, this it the single most important improvement you can make for the TLS security of your websites Extension of Always-On SSL concept Can be used for websites that only allow HTTPS Convey to HSTS supported browsers that your site is only available via HTTPS, by sending HSTS value header Supporting browsers automatically change HTTP queries to HTTPS Browsers that do not support HSTS header will simply ignore Used to mitigate sslstrip vulnerability In the case of MTM, HSTS does not allow the user to override the invalid certificate error Entrust, Inc. All rights reserved. 14 9/29/2015

15 Certificate Transparency Certificate Reputation HTTP Public Key Pinning (HPKP) Certification Authority Authorization (CAA) 2015 Entrust Datacard Corporation. All rights reserved.

16 Multi-SAN Certificates Extended Validation (EV) Elliptic Curve Cryptography (ECC) Private Trust 2015 Entrust Datacard Corporation. All rights reserved.

17 Certificate Validation Models Best Practices: Certificates Use EV for high traffic or value websites OV should be used for public sites when EV is not required DV should only be used when Identity is not required (internal use or for non browser based applications) Entrust, Inc. All rights reserved.

18 Advanced Certificate Types Multi-SAN Certificates Single Certificate that support multiple URLs or public IP Addresses Use on Load Balancers and Firewalls Wildcard Certificates Dynamically support unlimited number of sub domains (*.abc.com) Domain coverage is wide, making the certificate and private key high value Use on Load Balancer and Firewalls for environments that are constantly changing ECC Certificates 256 bit EC private key offers better security and performance than RSA 2048 bit keys Limited client side support Private Trust SSL Certificates Used internally, not publicly trusted On premise PKI or hosted PKI service Are required November 2015 for certificate issued to Non-Fully Qualified Domain Names Entrust, Inc. All rights reserved. 18 9/29/2015

19 SSL on all Websites Mitigates HTTP attacks Increases Security Provides User Privacy Deploy HSTS 2015 Entrust Datacard Corporation. All rights reserved.

20 Security Partner Certificate Management Certificate Discovery Variety of Certificates Certificate/Website Scan Responsive CRL/OCSP 2015 Entrust Datacard Corporation. All rights reserved.

21 Choosing a Certificate Authority Security Posture, History, and Compliance Certificate Policies Root Embedding Services Offered (CRL/OCSP,Cert Types, ECC) Certificate Management Tools Support Entrust, Inc. All rights reserved. 21 9/29/2015

22 Tools and Resources SSL Labs Server Test SSL Chain Checkers Open SSL Certificate Discovery Certificate Management Tool Malware Scanner Bulletproof SSL Certificate Management Entrust, Inc. All rights reserved. 22 9/29/2015

23 SSL/TLS SERVER TEST 2015 Entrust Datacard Corporation. All rights reserved.

24 BULLETPROOF SSL AND TLS Written by SSL Expert, Ivan Ristic Most comprehensive guide to SSL Best Practices on the market Recommended reading for any IT Security professional dealing with SSL and certificates Available at Feisty Duck or on Amazon Included free of charge with Entrust Cloud SSL Enterprise 2015 Entrust Datacard Corporation. All rights reserved.

25 Thank you! Questions? Entrust Datacard Corporation. All rights reserved.

Is Your SSL Website and Mobile App Really Secure?

Is Your SSL Website and Mobile App Really Secure? Is Your SSL Website and Mobile App Really Secure? Agenda What is SSL / TLS SSL Vulnerabilities PC/Server Mobile Advice to the Public Hong Kong Computer Emergency Response Team Coordination Centre 香 港 電

More information

SSL Report: ebfl.srpskabanka.rs (91.240.6.48)

SSL Report: ebfl.srpskabanka.rs (91.240.6.48) Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > SSL Report: (91.240.6.48) Assessed on: Sun, 03 Jan 2016 15:46:07 UTC HIDDEN Clear cache Scan Another» Summary Overall

More information

SSL and Browsers: The Pillars of Broken Security

SSL and Browsers: The Pillars of Broken Security SSL and Browsers: The Pillars of Broken Security Ivan Ristic Wolfgang Kandek Qualys, Inc. Session ID: TECH-403 Session Classification: Intermediate SSL, TLS, And PKI SSL (or TLS, if you prefer) is the

More information

SSL/TLS: The Ugly Truth

SSL/TLS: The Ugly Truth SSL/TLS: The Ugly Truth Examining the flaws in SSL/TLS protocols, and the use of certificate authorities. Adrian Hayter CNS Hut 3 Team adrian.hayter@cnsuk.co.uk Contents Introduction to SSL/TLS Cryptography

More information

SSL Server Rating Guide

SSL Server Rating Guide SSL Server Rating Guide version 2009j (20 May 2015) Copyright 2009-2015 Qualys SSL Labs (www.ssllabs.com) Abstract The Secure Sockets Layer (SSL) protocol is a standard for encrypted network communication.

More information

A Study of What Really Breaks SSL HITB Amsterdam 2011

A Study of What Really Breaks SSL HITB Amsterdam 2011 A Study of What Really Breaks SSL HITB Amsterdam 2011 v1.0 Ivan Ristic Michael Small 20 May 2011 Agenda 1. State of SSL 2. Quick intro to SSL Labs 3. SSL Configuration Surveys 4. Survey of Actual SSL Usage

More information

SSL: Paved With Good Intentions. Richard Moore rich@westpoint.ltd.uk

SSL: Paved With Good Intentions. Richard Moore rich@westpoint.ltd.uk SSL: Paved With Good Intentions Richard Moore rich@westpoint.ltd.uk Why do we need SSL? Privacy Online shopping Online banking Identity Protection Data Integrity Early SSL First public version was SSLv2

More information

HTTPS is Fast and Hassle-free with CloudFlare

HTTPS is Fast and Hassle-free with CloudFlare HTTPS is Fast and Hassle-free with CloudFlare 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com In the past, organizations had to choose between performance and security when encrypting their

More information

Installation and usage of SSL certificates: Your guide to getting it right

Installation and usage of SSL certificates: Your guide to getting it right Installation and usage of SSL certificates: Your guide to getting it right So, you ve bought your SSL Certificate(s). Buying your certificate is only the first of many steps involved in securing your website.

More information

Criteria for web application security check. Version 2015.1

Criteria for web application security check. Version 2015.1 Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-

More information

OpenADR 2.0 Security. Jim Zuber, CTO QualityLogic, Inc.

OpenADR 2.0 Security. Jim Zuber, CTO QualityLogic, Inc. OpenADR 2.0 Security Jim Zuber, CTO QualityLogic, Inc. Security Overview Client and server x.509v3 certificates TLS 1.2 with SHA256 ECC or RSA cipher suites TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256

More information

SSL Report: ebanking.aikbanka.rs ( )

SSL Report: ebanking.aikbanka.rs ( ) Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > SSL Report: (213.240.51.166) Assessed on: Sun, 03 Jan 2016 14:36:01 UTC HIDDEN Clear cache Scan Another» Summary Overall

More information

SSL implementieren aber sicher!

SSL implementieren aber sicher! SSL implementieren aber sicher! Karlsruher Entwicklertag 2014 21.05.2014 Dr. Yun Ding SSL in the news 2011 2012 2013 2014 BEAST CRIME Lucky 13 Compromised CAs RC4 biases BREACH DRBG Backdoor Apple goto

More information

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services WEB SITE SECURITY Jeff Aliber Verizon Digital Media Services 1 SECURITY & THE CLOUD The Cloud (Web) o The Cloud is becoming the de-facto way for enterprises to leverage common infrastructure while innovating

More information

Implementation Vulnerabilities in SSL/TLS

Implementation Vulnerabilities in SSL/TLS Implementation Vulnerabilities in SSL/TLS Marián Novotný novotny@eset.sk ESET, spol. s r.o. Bratislava, Slovak Republic Abstract SSL/TLS protocol has become a standard way for establishing a secure communication

More information

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 12 Applying Cryptography

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 12 Applying Cryptography Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography Objectives Define digital certificates List the various types of digital certificates and how they are used

More information

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Certificate Management. PAN-OS Administrator s Guide. Version 7.0 Certificate Management PAN-OS Administrator s Guide Version 7.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

Cryptography for Software and Web Developers

Cryptography for Software and Web Developers Cryptography for Software and Web Developers Part 1: Web and Crypto Hanno Böck 2014-05-28 1 / 14 HTTP and HTTPS SSL Stripping Cookies Mixed content HTTPS content, HTTP images Many webpages use some kind

More information

DigiCert: Trusted Business for the Enterprise and Its Customers

DigiCert: Trusted Business for the Enterprise and Its Customers DigiCert: Trusted Business for the Enterprise and Its Customers A leading online trust provider, DigiCert offers multiple products to suit the security needs of enterprises within the finance, healthcare,

More information

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213 Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213 UNCLASSIFIED Example http ://www. greatstuf f. com Wants credit card number ^ Look at lock on browser Use https

More information

Bugzilla ID: Bugzilla Summary:

Bugzilla ID: Bugzilla Summary: Bugzilla ID: Bugzilla Summary: CAs wishing to have their certificates included in Mozilla products must 1) Comply with the requirements of the Mozilla CA certificate policy (http://www.mozilla.org/projects/security/certs/policy/)

More information

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address : 69.43.165.11

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address : 69.43.165.11 Scan Report Executive Summary Part 1. Scan Information Scan Customer Company: Date scan was completed: rsync.net ASV Company: Comodo CA Limited 06-02-2015 Scan expiration date: 08-31-2015 Part 2. Component

More information

Walking The Security & Privacy Talk Moving from Compliance to Stewardship

Walking The Security & Privacy Talk Moving from Compliance to Stewardship Walking The Security & Privacy Talk Moving from Compliance to Stewardship 02/28/2014 SESSION ID: DSP-F01 Craig Spiezle (moderator) Executive Director & President, Online Trust Alliance Rick Andrews Senior

More information

Chapter 17. Transport-Level Security

Chapter 17. Transport-Level Security Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics

More information

Chapter 7 Transport-Level Security

Chapter 7 Transport-Level Security Cryptography and Network Security Chapter 7 Transport-Level Security Lectured by Nguyễn Đức Thái Outline Web Security Issues Security Socket Layer (SSL) Transport Layer Security (TLS) HTTPS Secure Shell

More information

Real-Time Communication Security: SSL/TLS. Guevara Noubir noubir@ccs.neu.edu CSU610

Real-Time Communication Security: SSL/TLS. Guevara Noubir noubir@ccs.neu.edu CSU610 Real-Time Communication Security: SSL/TLS Guevara Noubir noubir@ccs.neu.edu CSU610 1 Some Issues with Real-time Communication Session key establishment Perfect Forward Secrecy Diffie-Hellman based PFS

More information

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information

Microsoft Trusted Root Certificate: Program Requirements

Microsoft Trusted Root Certificate: Program Requirements Microsoft Trusted Root Certificate: Program Requirements 1. Introduction The Microsoft Root Certificate Program supports the distribution of root certificates, enabling customers to trust Windows products.

More information

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University October 2015 1 List of Figures Contents 1 Introduction 1 2 History 2 3 Public Key Infrastructure (PKI) 3 3.1 Certificate

More information

More on SHA-1 deprecation:

More on SHA-1 deprecation: Dear PTC Axeda Customer, This message specifies Axeda and IDM Agent upgrade requirements and timelines for transitioning Axeda Enterprise Server, Global Access Server (GAS), Policy Server, and Questra

More information

SSL Interception Proxies. Jeff Jarmoc Sr. Security Researcher Dell SecureWorks. and Transitive Trust

SSL Interception Proxies. Jeff Jarmoc Sr. Security Researcher Dell SecureWorks. and Transitive Trust SSL Interception Proxies Jeff Jarmoc Sr. Security Researcher Dell SecureWorks and Transitive Trust About this talk History & brief overview of SSL/TLS Interception proxies How and Why Risks introduced

More information

White Paper. Enhancing Website Security with Algorithm Agility

White Paper. Enhancing Website Security with Algorithm Agility ENHANCING WEBSITE SECURITY WITH ALGORITHM AGILITY White Paper Enhancing Website Security with Algorithm Agility Enhancing Website Security with Algorithm Agility Contents Introduction 3 Encryption Today

More information

Securing the SSL/TLS channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and Pinning of Certs

Securing the SSL/TLS channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and Pinning of Certs OWASP AppSec APAC 2012 The OWASP Foundation http://www.owasp.org Securing the SSL/TLS channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and Pinning of Certs

More information

SSL Report: okidirect.co.uk (84.18.207.58)

SSL Report: okidirect.co.uk (84.18.207.58) Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > okidirect.co.uk SSL Report: okidirect.co.uk (84.18.207.58) Assessed on: Fri, 26 Jun 2015 12:51:45 UTC HIDDEN Clear cache

More information

Complete Website Security

Complete Website Security Symantec TM Complete Website Security Symantec is the world s leading provider of Internet trust, authentication and security solutions. Symantec TM Complete Website Security offers you SSL management

More information

2014 IBM Corporation

2014 IBM Corporation 2014 IBM Corporation This is the 27 th Q&A event prepared by the IBM License Metric Tool Central Team (ICT) Currently we focus on version 9.x of IBM License Metric Tool (ILMT) The content of today s session

More information

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Overview of CSS SSL. SSL Cryptography Overview CHAPTER CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet, ensuring secure transactions such as the transmission of credit card numbers

More information

ALTERNATIVES TO CERTIFICATION AUTHORITIES FOR A SECURE WEB

ALTERNATIVES TO CERTIFICATION AUTHORITIES FOR A SECURE WEB ALTERNATIVES TO CERTIFICATION AUTHORITIES FOR A SECURE WEB Scott Rea DigiCert, Inc. Session ID: SEC-T02 Session Classification: Intermediate BACKGROUND: WHAT IS A CERTIFICATION AUTHORITY? What is a certification

More information

EXECUTIVE BRIEF. IT and Business Professionals Say Website Attacks are Persistent and Varied. In this Paper

EXECUTIVE BRIEF. IT and Business Professionals Say Website Attacks are Persistent and Varied. In this Paper Sponsored by IT and Business Professionals Say Website Attacks are Persistent and Varied EXECUTIVE BRIEF In this Paper Thirty percent of IT and business professionals say their organization was attacked

More information

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP) Security Protocols Security Protocols Necessary to communicate securely across untrusted network Provide integrity, confidentiality, authenticity of communications Based on previously discussed cryptographic

More information

Secure Sockets Layer

Secure Sockets Layer SSL/TLS provides endpoint authentication and communications privacy over the Internet using cryptography. For web browsing, email, faxing, other data transmission. In typical use, only the server is authenticated

More information

SSL: A False Sense of Security? How the Tenable Solution Restores SSL Effectiveness and Mitigates Related Threats

SSL: A False Sense of Security? How the Tenable Solution Restores SSL Effectiveness and Mitigates Related Threats SSL: A False Sense of Security? How the Tenable Solution Restores SSL Effectiveness and Mitigates Related Threats White Paper Copyright 2002-2012 Tenable Network Security, Inc. Tenable Network Security,

More information

Proto Balance SSL TLS Off-Loading, Load Balancing. User Manual - SSL. http://www.protonet.co.za/

Proto Balance SSL TLS Off-Loading, Load Balancing. User Manual - SSL. http://www.protonet.co.za/ Proto Balance SSL TLS Off-Loading, Load Balancing http://www.protonet.co.za/ User Manual - SSL Copyright c 2003-2010 Shine The Way 238 CC. All rights reserved. March 13, 2010 Contents 1. Introduction........................................................................

More information

Internet SSL Survey 2010! Black Hat USA 2010

Internet SSL Survey 2010! Black Hat USA 2010 Internet SSL Survey 2010! Black Hat USA 2010 Ivan Ristic Director of Engineering, Web Application Firewall and SSL iristic@qualys.com / @ivanristic July 29th, 2010 (v1.6) Agenda 1. Why do we care about

More information

Analyzing DANE's Response to Known DNSsec Vulnerabilities

Analyzing DANE's Response to Known DNSsec Vulnerabilities Analyzing DANE's Response to Known DNSsec Vulnerabilities Matthew Henry Joseph Kirik Emily Scheerer UMBC UMBC UMBC henmatt1@umbc.edu joskir1@umbc.edu semily1@umbc.edu May 9, 2014 Abstract: SSL/TLS is currently

More information

PCI Compliance Considerations

PCI Compliance Considerations PCI Compliance Considerations This article outlines implementation considerations when deploying the Barracuda Load Balancer ADC in an environment subject to PCI Data Security Standard (PCI DSS) compliance.

More information

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Socket Layer (SSL) and Transport Layer Security (TLS) Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available

More information

Basics of SSL Certification

Basics of SSL Certification Introduction To secure transmission of information from browser to a web server, a security protocol is used. SSL (Secure Socket Lock) is one of the most popular and widely accepted security protocols,

More information

Network Security Essentials Chapter 5

Network Security Essentials Chapter 5 Network Security Essentials Chapter 5 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 5 Transport-Level Security Use your mentality Wake up to reality From the song, "I've Got

More information

Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI) Public Key Infrastructure (PKI) In this video you will learn the quite a bit about Public Key Infrastructure and how it is used to authenticate clients and servers. The purpose of Public Key Infrastructure

More information

Vulnerabilità dei protocolli SSL/TLS

Vulnerabilità dei protocolli SSL/TLS Università degli Studi di Milano Facoltà di Scienze Matematiche, Fisiche e Naturali Dipartimento di Informatica e Comunicazione Vulnerabilità dei protocolli SSL/TLS Andrea Visconti Overview Introduction

More information

Joe St Sauver, Ph.D. joe@internet2.edu or joe@uoregon.edu Manager, InCommon Cer;ficate Program and Manager, Internet2 Na;onwide Security Programs

Joe St Sauver, Ph.D. joe@internet2.edu or joe@uoregon.edu Manager, InCommon Cer;ficate Program and Manager, Internet2 Na;onwide Security Programs HTTP Strict Transport Security Performance: Is There An Issue? Does the Performance Working Group Have RecommendaAons for Tuning SSL/TLS For Internet2 Class Traffic? Joe St Sauver, Ph.D. joe@internet2.edu

More information

Security. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Security. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1 Contents Security requirements Public key cryptography Key agreement/transport schemes Man-in-the-middle attack vulnerability Encryption. digital signature, hash, certification Complete security solutions

More information

Transport Level Security

Transport Level Security Transport Level Security Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/

More information

Overview. SSL Cryptography Overview CHAPTER 1

Overview. SSL Cryptography Overview CHAPTER 1 CHAPTER 1 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. The features in this chapter apply to IPv4 and IPv6 unless otherwise noted. Secure

More information

Integrated SSL Scanning

Integrated SSL Scanning Software Version 9.0 Copyright Copyright 1996-2008. Finjan Software Inc. and its affiliates and subsidiaries ( Finjan ). All rights reserved. All text and figures included in this publication are the exclusive

More information

ENTRUST CLOUD. SSL Digital Certificates, Discovery & Management +1-888-690-2424. entrust@entrust.com entrust.com

ENTRUST CLOUD. SSL Digital Certificates, Discovery & Management +1-888-690-2424. entrust@entrust.com entrust.com ENTRUST CLOUD SSL Digital Certificates, Discovery & Management +1-888-690-2424 entrust@entrust.com entrust.com Entrust Cloud SSL Digital Certificates, Discovery & Management Digital certificates have emerged

More information

What s Your HTTPS Grade? A Case Study of HTTPS/SSL at Mid Michigan Community College. Brandon Kish @kishba bkish@midmich.edu

What s Your HTTPS Grade? A Case Study of HTTPS/SSL at Mid Michigan Community College. Brandon Kish @kishba bkish@midmich.edu What s Your HTTPS Grade? A Case Study of HTTPS/SSL at Mid Michigan Community College Brandon Kish @kishba bkish@midmich.edu About Me Director of Programming Mid Michigan Community College ~4,500 students

More information

Security Protocols/Standards

Security Protocols/Standards Security Protocols/Standards Security Protocols/Standards Security Protocols/Standards How do we actually communicate securely across a hostile network? Provide integrity, confidentiality, authenticity

More information

Should You Trust the Padlock? Web Security and the HTTPS Value Chain. Keeping Current 20 November 2013 Ken Calvert

Should You Trust the Padlock? Web Security and the HTTPS Value Chain. Keeping Current 20 November 2013 Ken Calvert Should You Trust the Padlock? Web Security and the HTTPS Value Chain Keeping Current 20 November 2013 Ken Calvert Outline 1. What are we afraid of? 2. Countermeasures: Securing the Web 3. Public-key Crypto

More information

[SMO-SFO-ICO-PE-046-GU-

[SMO-SFO-ICO-PE-046-GU- Presentation This module contains all the SSL definitions. See also the SSL Security Guidance Introduction The package SSL is a static library which implements an API to use the dynamic SSL library. It

More information

Transport Layer Security Protocols

Transport Layer Security Protocols SSL/TLS 1 Transport Layer Security Protocols Secure Socket Layer (SSL) Originally designed to by Netscape to secure HTTP Version 2 is being replaced by version 3 Subsequently became Internet Standard known

More information

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2 Contents Introduction--1 Content and Purpose of This Guide...........................1 User Management.........................................2 Types of user accounts2 Security--3 Security Features.........................................3

More information

CERTIFICATION PRACTICE STATEMENT UPDATE

CERTIFICATION PRACTICE STATEMENT UPDATE CERTIFICATION PRACTICE STATEMENT UPDATE Reference: IZENPE-CPS UPDATE Version no: v 5.03 Date: 10th March 2015 IZENPE 2015 This document is the property of Izenpe. It may only be reproduced in its entirety.

More information

COMODO CERTIFICATE MANAGER. Simplify SSL Certificate Management Across the Enterprise

COMODO CERTIFICATE MANAGER. Simplify SSL Certificate Management Across the Enterprise COMODO CERTIFICATE MANAGER Simplify SSL Certificate Management Across the Enterprise Comodo Certificate Manager CCM Enables nominated administrators the ability to manage the lifespan, issuance, deployment,

More information

LBSEC. http://www.liveboxcloud.com

LBSEC. http://www.liveboxcloud.com 2014 LBSEC http://www.liveboxcloud.com LiveBox Srl does not release declarations or guarantee regarding this documentation and its use and declines any expressed or implied commercial or suitability guarantee

More information

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler Certificates Noah Zani, Tim Strasser, Andrés Baumeler Overview Motivation Introduction Public Key Infrastructure (PKI) Economic Aspects Motivation Need for secure, trusted communication Growing certificate

More information

POODLE. Yoshiaki Kasahara Kyushu University kasahara@nc.kyushu-u.ac.jp. 2015/3/3 APAN 39th in Fukuoka 1

POODLE. Yoshiaki Kasahara Kyushu University kasahara@nc.kyushu-u.ac.jp. 2015/3/3 APAN 39th in Fukuoka 1 POODLE Yoshiaki Kasahara Kyushu University kasahara@nc.kyushu-u.ac.jp 2015/3/3 APAN 39th in Fukuoka 1 Summary POODLE: Padding Oracle On Downgraded Legacy Encryption Discovered in October 2014 by Google

More information

Web Security. Introduction: Understand applicable laws, legal issues and ethical issues regarding computer crime

Web Security. Introduction: Understand applicable laws, legal issues and ethical issues regarding computer crime International Journal for Science and Emerging ISSN No. (Online):2250-3641 Technologies with Latest Trends 12(1): 1-6 (2013) ISSN No. (Print): 2277-8136 Web Security Amandeep Kang*, Navdeep Kaholn** and

More information

Certificates, Revocation and the new gtld's Oh My!

Certificates, Revocation and the new gtld's Oh My! Certificates, Revocation and the new gtld's Oh My! Dan Timpson sales@digicert.com www.digicert.com +1 (801) 877-2100 Focus What is a Certificate Authority? Current situation with gtld's and internal names

More information

StartCom Certification Authority

StartCom Certification Authority StartCom Certification Authority Intermediate Certification Authority Policy Appendix Version: 1.5 Status: Final Updated: 05/04/11 Copyright: Start Commercial (StartCom) Ltd. Author: Eddy Nigg Introduction

More information

Websense Content Gateway HTTPS Configuration

Websense Content Gateway HTTPS Configuration Websense Content Gateway HTTPS Configuration web security data security email security Support Webinars 2010 Websense, Inc. All rights reserved. Webinar Presenter Title: Sr. Tech Support Specialist Cisco

More information

present the complete guide to ssl and seo

present the complete guide to ssl and seo present the complete guide to ssl and seo The Complete Guide to Setting up SSL and SEO Google recently announced that HTTPS is now being used as a ranking signal in its search engine algorithm. Websites

More information

Secure Web Appliance. SSL Intercept

Secure Web Appliance. SSL Intercept Secure Web Appliance SSL Intercept Table of Contents 1. Introduction... 1 1.1. About CYAN Secure Web Appliance... 1 1.2. About SSL Intercept... 1 1.3. About this Manual... 1 1.3.1. Document Conventions...

More information

Web Security Considerations

Web Security Considerations CEN 448 Security and Internet Protocols Chapter 17 Web Security Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa

More information

Credit Card Security

Credit Card Security Credit Card Security Created 16 Apr 2014 Revised 16 Apr 2014 Reviewed 16 Apr 2014 Purpose This policy is intended to ensure customer personal information, particularly credit card information and primary

More information

Our Key Security Features Are:

Our Key Security Features Are: September 2014 Version v1.8" Thank you for your interest in PasswordBox. On the following pages, you ll find a technical overview of the comprehensive security measures PasswordBox uses to protect your

More information

Configuring Secure Socket Layer HTTP

Configuring Secure Socket Layer HTTP Finding Feature Information, page 1 Prerequisites for Configuring the Switch for Secure Sockets Layer HTTP, page 1 Restrictions for Configuring the Switch for Secure Sockets Layer HTTP, page 2 Information

More information

Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day. SSL Certificate - Subject Common Name Does Not Match Server FQDN

Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day. SSL Certificate - Subject Common Name Does Not Match Server FQDN Vulnerability Scan 06 October 2014 at 16:21 URL : http://www.test.co.uk Summary: 34 vulnerabilities found 0 10 24 72 Cookie Does Not Contain The "HTTPOnly" Attribute Cookie Does Not Contain The "secure"

More information

Leveraging Symantec CIC and A10 Thunder ADC to Simplify Certificate Management

Leveraging Symantec CIC and A10 Thunder ADC to Simplify Certificate Management Leveraging Symantec CIC and A10 Thunder ADC to Simplify Certificate Management Identify, Monitor and Manage All SSL Certificates Present Datasheet: Leveraging Symantec CIC and A10 Thunder ADC The information

More information

Maximizing Performance with SPDY & SSL. Billy Hoffman billy@zoompf.com @zoompf

Maximizing Performance with SPDY & SSL. Billy Hoffman billy@zoompf.com @zoompf Maximizing Performance with SPDY & SSL Billy Hoffman billy@zoompf.com @zoompf What is SPDY? Massive Browser Support Massive Server Support Cast of Characters TCP HTTP SSL X.509 Certificate Cryptography

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication

More information

Security + Certification (ITSY 1076) Syllabus

Security + Certification (ITSY 1076) Syllabus Security + Certification (ITSY 1076) Syllabus Course: ITSY 1076 Security+ 40 hours Course Description: This course is targeted toward an Information Technology (IT) professional who has networking and

More information

Introduction. Purpose. Background. Details

Introduction. Purpose. Background. Details Introduction Recent media reports confirm that Secure Socket Layer (SSL) 3.0 is obsolete and insecure. This report provides guidance on how to ensure your communications use the more secure Transport Layer

More information

Configuring Digital Certificates

Configuring Digital Certificates CHAPTER 36 This chapter describes how to configure digital certificates and includes the following sections: Information About Digital Certificates, page 36-1 Licensing Requirements for Digital Certificates,

More information

Integrated SSL Scanning

Integrated SSL Scanning Version 9.2 SSL Enhancements Copyright 1996-2008. Finjan Software Inc. and its affiliates and subsidiaries ( Finjan ). All rights reserved. All text and figures included in this publication are the exclusive

More information

Public Key Infrastructures

Public Key Infrastructures Public Key Infrastructures Ralph Holz Network Architectures and Services Technische Universität München November 2014 Ralph Holz: Public Key Infrastructures 1 Part 2: Recent results or: the sorry state

More information

Network Security Web Security and SSL/TLS. Angelos Keromytis Columbia University

Network Security Web Security and SSL/TLS. Angelos Keromytis Columbia University Network Security Web Security and SSL/TLS Angelos Keromytis Columbia University Web security issues Authentication (basic, digest) Cookies Access control via network address Multiple layers SHTTP SSL (TLS)

More information

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Using etoken for SSL Web Authentication. SSL V3.0 Overview Using etoken for SSL Web Authentication Lesson 12 April 2004 etoken Certification Course SSL V3.0 Overview Secure Sockets Layer protocol, version 3.0 Provides communication privacy over the internet. Prevents

More information

Protocol Rollback and Network Security

Protocol Rollback and Network Security CSE 484 / CSE M 584 (Spring 2012) Protocol Rollback and Network Security Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee,

More information

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security? 7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk

More information

Wildcard and SAN: Understanding Multi-Use SSL Certificates

Wildcard and SAN: Understanding Multi-Use SSL Certificates Wildcard and SAN: Understanding Multi-Use SSL Certificates LEVERAGING MULTI-USE DIGITAL CERTIFICATES TO SIMPLIFY CERTIFICATE MANAGEMENT AND REDUCE COSTS Wildcard and SAN: Understanding Multi-Use SSL Certificates

More information

Web Security: Encryption & Authentication

Web Security: Encryption & Authentication Web Security: Encryption & Authentication Arnon Rungsawang fenganr@ku.ac.th Massive Information & Knowledge Engineering Department of Computer Engineering Faculty of Engineering Kasetsart University, Bangkok,

More information

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6 WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications

More information

Configuring SSL Termination

Configuring SSL Termination CHAPTER 4 This chapter describes the steps required to configure a CSS as a virtual SSL server for SSL termination. It contains the following major sections: Overview of SSL Termination Creating an SSL

More information

Overview. SSL Cryptography Overview CHAPTER 1

Overview. SSL Cryptography Overview CHAPTER 1 CHAPTER 1 Secure Sockets Layer (SSL) is an application-layer protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through

More information

Lesson 10: Attacks to the SSL Protocol

Lesson 10: Attacks to the SSL Protocol Lesson 10: Attacks to the SSL Protocol Luciano Bello - luciano@debian.org Chalmers University Dr. Alfonso Muñoz - amunoz@diatel.upm.es T>SIC Group. Universidad Politécnica de Madrid Security of the SSL

More information

Understanding Digital Certificates and Secure Sockets Layer (SSL)

Understanding Digital Certificates and Secure Sockets Layer (SSL) Understanding Digital Certificates and Secure Sockets Layer (SSL) Author: Peter Robinson January 2001 Version 1.1 Copyright 2001-2003 Entrust. All rights reserved. Digital Certificates What are they?

More information